MDKSA-2000:045-1

Problem description

A bug was discovered in ld.so that could allow local users to obtain
root privileges. The dynamic loader, ld.so, is responsible for making
shared libraries available within a program at run-time. Normally, a
user is allowed to load additional shared libraries when executing a
program; they can be specified with environment variables such as
LD_PRELOAD. Because this is not acceptable for applications that are
setuid root, ld.so normally removes these environment variables for
setuid root programs. The discovered bug causes these environment
variables to not be removed under certain circumstances. While
setuid programs themselves are not vulnerable, external programs they
execute can be affected by this problem.
A number of additional bugs have been found in the glibc locale and
internationaliztion security checks. In internationalized programs,
users are permitted to select a locale or choose message catalogues
using environment variables such as LANG or LC_*. The content of
these variables is then used as part of the pathname used to search
message catalogues or locale files. Under normal circumstances, if
these variables contained the "/" character, a program could load the
internationalization files from arbitrary directories. This is not
acceptable for setuid programs, which is the reason glibc does not
allow certain settings of these variables if the program is setuid
or setgid. However, some of these checks were done in inapporpriate
places, contained bugs, or were missing entirely. It is highly
probable that some of these bugs can be used for local root exploits.
Update:
Packages are now available for Linux-Mandrake 6.0 and 6.1.